Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers

by | Oct 14, 2021 | News

Post Views: 538

Reading Time: 2 Minutes

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.

Brizy (or Brizy – Page Builder) has been installed on more than 90,000 sites. It’s billed as an intuitive website builder for those without technical skills. It comes with a collection of more than 500 pre-designed blocks, maps and video integration and drag-and-drop design functionality. According to researchers, it also came with a stored cross-site scripting (XSS) issue and an arbitrary file-upload vulnerability prior to version 2.3.17.

These two bugs, when combined with another flaw that allows authorization bypass and privilege escalation, can become dangerous, Wordfence researchers cautioned.

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. “This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.”

The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained. In a combo with the stored XSS bug, any logged-in user would be able to modify any published post and inject malicious JavaScript to it. A pairing with the other bug could meanwhile allow any logged-in user to upload potentially executable files and achieve remote code execution.

Foundation for Attack: A Re-Introduced Access Control Bug

The older access-control bug (now tracked as CVE-2021-38345) was patched in June 2020, but reintroduced in version 1.0.127 this year. It’s a high-severity issue that stems from a lack of proper authorization checks, according to Wordfence, allowing attackers to modify posts.

Researchers noted that the plugin uses a pair of administrator functions for a wide variety of authorization checks, and “any user that passed one of these checks was assumed to be an administrator.” They added, “being logged in and accessing any endpoint in the wp-admin directory was sufficient to pass this check.”

The upshot of this is that all logged-in users, such as subscribers to a newsletter, were allowed to modify any post or page that had been created or edited with the Brizy editor, even if it had already been published.

“While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site,” according to Wordfence’s analysis.

Authenticated Stored Cross-Site Scripting

The first follow-on bug is a medium-severity stored XSS issue (CVE-2021-38344), which allows attackers to inject malicious scripts into web pages. Because it’s a stored XSS bug, rather than a reflected one, victims need only visit the infected page in order to be attacked.

On its own, the bug allows a lower-privileged user (such as a contributor or subscriber) to add JavaScript to an update request, which would then be executed if the post were viewed or previewed by another user, such as an administrator. It becomes dangerous however when combined with the authorization bypass, researchers said.

“Thanks to the authorization check vulnerability, even the lowest-privileged users, such as subscribers, could add malicious JavaScript to any page, allowing them to take over a site,” the researchers noted. “JavaScript running in an administrator’s session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files.”

Authenticated File Upload and Path Traversal

The second new bug is a high-severity arbitrary file-upload issue (CVE-2021-38346) that could allow authenticated users to upload files to a site. But again thanks to the authorization check vulnerability, it becomes possible for subscriber-level users to elevate their privileges, then upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action, according to Wordfence researchers.

Other kinds of attacks are also possible, they according to the analysis.

“While the plugin appended . JPG to all uploaded filenames, a double extension attack was also possible,” they explained. “For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via . htaccess.”

Thus, “by supplying a file with a . PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added.

Users can protect themselves by updating to the latest version of the plugin, version 2.3.17.

XSS Plugin Plague

XSS vulnerabilities in WordPress plugins have been far from scarce so far in 2021. For instance, in August an authenticated stored XSS vulnerability was found in the SEOPress WordPress plugin, which is installed on 100,000 websites.

In July, a critical XSS bug was found to impact WordPress sites running the Frontend File Manager plugin. It allows remote unauthenticated users to inject JavaScript code into vulnerable websites to create admin user accounts, and was just one of six critical flaws disclosed in that advisory.

In February, a stored XSS security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users. The developers didn’t issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.

And in January, researchers warned of yet another authenticated XSS vulnerability in a WordPress plugin called Orbit Fox that has 40,000 installs, that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.